WCF身份验证+授权

Question

We have WCF 4.5 service and we are trying to secure it.

We have users in our database schema but what we want to do is operations like

[OperationsContract]
void PostMessage(string message, int userId) 
   //used ID is supposed to be id of user who post message

our service is secured with basicHttpsBinding with basic authorization. I can get username of user who accessed that method with:

ServiceSecurityContext.Current.PrimaryIdentity.Name

But how can i Add his database Id into PrimaryIdentity. In other words, How to verify, that he user with username "John" can only send his userId. What is the best technology to verify him?

Also how it is possible that STATIC variable (Current) is different for each request. We use default WCF instanceMode which is... PerSession. So how it is possible to have static variable different for each request.

It feels pretty lame to query database for userId by his username for each request.

Answer 1

It feels pretty lame to query database for userId by his username for each request.

I disagree.

In order to provide secure WCF service I would check credentials per request. One way of doing it is to create custom UserNamePasswordValidator and override Validate method. You should also configure your Web.config to use your custom validator.

<behaviors>
  <serviceBehaviors>
    <behavior name="GeneralBehavior">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCFApp.UserNamePassValidator, WCFApp" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>